The saying ‘You can't clap with one hand’ applies perfectly to the situation where people are duped after sharing personal details with cybercriminals. In most cases of cyberfraud, the victims have invariably shared some information such as a login ID, password or one-time passcode (OTP). After realising they are duped, victims often deny having shared information with cybercriminals. Such denials, or playing the 'victim card', only make it difficult for banks and police to investigate the crime correctly and in time.  

 

While the government and its babus are bulldozing people to link their permanent account number (PAN) with Aadhaar, they offer no solution for the misuse of any of these. For example, three people received notices from the income-tax (I-T) department to pay tax dues on several crore rupees recorded in bank accounts opened with their PAN cards. I will explain this in detail later.  

 

You Can't Clap with One Hand

 

When you share personal information such as your name, address, date of birth, PAN, Aadhaar, bank account or any other financial information with a cybercriminal, you are essentially giving away the keys to the safe storing your valuables. This makes it very easy for fraudsters to dupe you, using this very information.

 

Remember, most financial transactions require two-factor authentication (2FA). The two factors are—knowledge (something the user knows) and possession (something the user has).

 

For example, if you want to withdraw cash from an automated teller machine (ATM), you must have a plastic card (debit, ATM or credit). This is what you possess. Secondly, you need to know the personal identification number (PIN), which is knowledge or something the user knows. Using this 2FA, you can withdraw money from the ATM. While using the same card for online transactions, you would need to provide the card number and its card verification value (CVV) as the primary authentication factor and then the OTP as 2FA. 

 

When a cybercriminal contacts you, he may have some knowledge (data may be obtained from the dark web), like your account number or card number. But to complete a transaction, he would need the second factor (usually the OTP). This is where he contacts you and tries to obtain your second factor, under some false pretext. 

 

If you do not respond and refuse to share this information, you are saved. The moment you share it, the cybercriminal will start clapping since he has what he needs to rob you of your money.   

 

Here are some examples of how cybercriminals contact victims on their mobile phones to obtain personal information:

 

Smishing: Smishing is a form of phishing that occurs via text message. Cybercriminals send the victim a text message that appears to be from a legitimate source, such as a bank or a government agency. The victim is asked to click on a link or provide personal information. If the victim falls for the scam and provides their information, the criminal can use it for fraud.

 

Vishing: Vishing is similar to smishing, but instead of a text message, the criminal contacts the victim via phone call. The caller may pose as a representative from a bank, credit card company, or other legitimate organisation and ask the victim to provide personal information such as their Aadhaar number or credit card information. The caller may use various tactics to convince the victim that she/he is legitimate, such as providing fake credentials or threatening legal action.

 

Fake Tech Support Calls: Cybercriminals may call victims and claim to be from a tech support company offering assistance with a supposed technical issue on the victim's phone. The criminal may ask the victim to download an app or provide access to their device, allowing them to install malware or steal personal information.

 

Robocalls/IVR Calls: Some cybercriminals use automated phone calls, or robocalls, to scam victims. The caller may claim to be from a government agency or a financial institution and ask the victim to provide personal information or make a payment to avoid legal action or penalties. Recently, many direct selling agents (DSAs) appointed by banks and financial institutions are using interactive voice response (IVR) or automated calls to offer personal loans and credit cards. During these calls, you are asked to give consent by pressing a number. However, the moment you press the number, your consent is recorded and you will end up with an unrequired credit or debt. So, be careful while answering any automated call. 

 

These are just a few examples of how cybercriminals contact victims on mobile phones to obtain personal information. Be cautious when you receive unsolicited calls or messages and never provide personal information to unknown callers. If you receive a suspicious call or message, it is best to hang up or delete it and contact the organisation using a verified phone number or website.

 

In short, it is important to remember that ‘You can't clap with one hand’.

 

If you fall prey to fraud, please do not hide facts; inform the investigating officer if you have shared any information with the criminal. This will allow them to focus on the crime instead of wasting time on finding out how the fraudster obtained all your details, including the 2FA, without your knowledge. It will also allow them to trace the money trail and possibly freeze the account where your money is siphoned. 

 

Dire Consequences of PAN Misuse

 

Ravi Gupta from Bhind in Madhya Pradesh (MP), who earns a salary of Rs58,000 a month, has received yet another notice from the income-tax (I-T) department to deposit a whopping Rs113 crore as taxes for alleged transactions of Rs132 crore that were reportedly carried out in his account in 2011-12, says a report from Times of India (ToI).

 

According to the newspaper, this comes, despite an inquiry initiated by none other than the office of prime minister (PMO) Narendra Modi, who took notice of Mr Gupta's plight after ToI's first report on his case in 2020. 

 

After the ToI report in January 2020, the PMO referred Mr Gupta's case to the finance ministry, which was routed to the bank by the Reserve Bank of India (RBI). The Bank submitted a report clearing Mr Gupta. However, when he received a fresh notice through the I-T department's 'faceless proceedings', Mr Gupta was in a state of utter disbelief.

 

However, he is not alone in coming under the lens of the tax authorities. Two of Mr Gupta's former colleagues from the same business process outsourcing (BPO)—Kapil Shukla and Khandwa's Praveen Rathore—have received similar notices for 2011-12. "Transactions of Rs290 crore were made through an account opened in the name of Mr Rathore using his PAN card. Three transactions of Rs95 crore, Rs47 crore and Rs25 lakh were made from the account in Mr Gupta's name by a diamond firm."

 

A youth in Rajasthan who runs a small shop also received a notice from the I-T department for depositing over Rs12.2 crore. "The notice sent to Krishna Gopal Chhaparwal, who makes Rs8,000-Rs10,000 a month, said that two other companies were registered in his name in Surat," the newspaper says.

 

In all cases, PAN numbers were used to open business accounts. Mr Gupta told the newspaper, "So, it's Surat again and diamond traders, as it was with me and two other victims from MP. There may be many more."

 

Just for information, anyone with an Aadhaar can open a bank account. As I mentioned in August 2022, during a scrutiny of suspicious bank accounts, HDFC Bank discovered that 33 savings accounts were opened with the photographs of just two individuals, while the name in each account was different. (Read: Fraud Alert: Aadhaar Menace Also Hitting Banks, Lenders) 

 

Over the years, Moneylife has constantly been highlighting risks associated with Aadhaar-based payment solutions and how it can be used to propagate money laundering—make money transfers un-auditable, propagate money laundering and financial fraud. (Read: How Aadhaar linkage can destroy banks). We also pointed out how Jan Dhan accounts, which were opened with a simple Aadhaar number, had deposits as high as Rs93.82 crore! (Read: Rs93.82 Crore Was Deposited in a Single Jan Dhan Account, Reveals RTI)

 

As we keep reiterating, never share your personal information with anyone. Even if you must submit a photocopy of any of your documents like PAN or Aadhaar, make sure to sign across on the photocopy and put the date, time, and purpose. This will help you avoid getting into situations like Mr Gupta and others.

 

How To Report Cyber Fraud?

 

Do report cybercrimes to the National Cyber Crime Reporting Portal http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c). 

 

Are you a victim of Online Financial Fraud? Immediately call helpline Number 1930 and register your complaint at https://t.co/cr6WZMOi4c pic.twitter.com/HZqUMKSDNF

— Cyber Dost (@Cyberdost) October 12, 2022